How hard is it to wage a 'cyberwar,' really?

Modern life is made possible by sets of tightly interconnected systems, supplying us with electricity, water, natural gas, automobile fuels, sewage treatment, food, telecommunications, finance and emergency response. In wartime, combatants have traditionally sought to disrupt their enemies' supply systems by blowing them up. Nowadays, many of these systems are increasingly directed and monitored through the internet.

Would it be possible for our enemies to disrupt these vital systems by "blowing up" the internet?

The Obama administration is evidently worried about this possibility. In May 2009, the administration issued its Cyberspace Policy Review, which declared that "threats to cyberspace pose one of the most serious economic and national security challenges of the 21st century for the United States and our allies." A year later, the U.S. Cyber Command was launched with the aim of protecting U.S. information-technology systems and establishing U.S. military dominance in cyberspace. And new market research identifies the cyberwar sector as the "single greatest growth market in the defense and security sector," forecasting that global spending on cyberwarfare will reach $12.5 billion this year.

A new report, Reducing Systemic Cybersecurity Risk, by British researchers Ian Brown and Peter Sommer for the Organization for Economic Cooperation and Development, evaluates threats to the security of the internet and other aspects of cyberspace, including hacking, viruses, trojans, denial-of-service, distributed denial-of-service using botnets, root-kits and disruptive social engineering techniques. Such weapons have become ubiquitous and used in government and industrial espionage, identity theft, web defacements, extortion, system hijacking and service blockading.

The recent denial-of-service attacks on Estonia and Georgia give us some sense of the effectiveness of cyber attacks. As James Lewis at the Center for Strategic and International Studies notes, "These countries came under limited cyber attack as part of larger conflicts with Russia, but in neither case were there casualties, loss of territory, destruction or serious disruption of critical services."

Brown and Sommer conclude that "it is unlikely that there will ever be a true cyberwar," by which they mean one fought solely over and with information technologies. Why? Because it takes effort to figure out new vulnerabilities in already protected critical systems and the effects of an attack are difficult to predict, including blowback on the perpetrators. More importantly, they note, "There is no strategic reason why an aggressor would limit themselves to only one class of weaponry." In a real war, cyberattacks would be an adjunct to conventional efforts to blow up critical infrastructure.

And if cyberwarfare against infrastructure were easy, terrorists like al Qaida would have already tried the tactic against the United States.

Brown and Sommer observe that the internet and the physical telecommunications infrastructure are designed to be robust and self-healing, so that failures in one part are routed around. "You have to be cautious when hearing from people engaging in fear-mongering about huge blackouts and collapses of critical infrastructures via the internet," says University of Toronto cyberwarfare expert Ronald Deibert in the January-February 2011 issue of the Bulletin of the Atomic Scientists. "There is a lot of redundancy in the networks; it's not a simple thing to turn off the power grid."

While not everyone uses up-to-date malware detection, most government agencies, major businesses and many individuals do, which means that would-be attackers must take the time and effort to find new flaws and develop new techniques. For example, the success of the Stuxnet worm that attacked and disabled Iranian nuclear centrifuges required very extensive intelligence gathering and knowledge of specific software flaws, as well as someone able to walk into the facilities with an infected USB drive.

Brown and Sommers are urging governments to ratify the Convention on Cybercrime. The chief treaty holdouts are Russia and China, countries from which many recent cyberattacks appear to have originated. "We should not forget that many of the countries that are havens for cybercrime have invested billions in domestic communications monitoring to supplement an already extensive set of police tools for political control," notes James Lewis. "The notion that a cybercriminal in one of these countries operates without the knowledge and thus tacit consent of the government is difficult to accept. A hacker who turned his sights from Tallinn to the Kremlin would have only hours before his service was cut off, his door was smashed down and his computer confiscated."

Another fruitful way to address emerging threats suggested by the authors is to strengthen connections between national computer emergency response teams. Experts for these teams, who operate as a kind of early warning system, devise software fixes to stop the spread of new malware. And they think that public policy, including procurement, can be used to encourage the development of properly tested hardware and software.

While blowing up the entire internet probably won't happen, espionage, hacking and malware will be with us always. Whatever we do to defend against them will also defend against the threat of all-out cyberwarfare.